I've just learned about Let's Encrypt, and it made me a little bit worried. Now, I'm afraid (correct me please if I'm wrong) I cannot easily say if the server I'm talking to is the one I <i>think</i> I'm communicating with; the https protocol and SSL certificates are there only to ensure <i>message confidentiality</i>, but not <i>server identity</i>.<p>Here are my questions:<p>1. Is there a way to check in a browser if the current domain's certificate has been issued by Let's Encrypt?<p>2. Should I trust domains with Let's Encrypt-issued certificate less than those with paid certificates with identity validation?<p>Perhaps my questions display lack of understanding of some fundamental concept of SSL. If that's the case, I'm happy to learn!
Most SSL certificates use the same validation mechanisms as Let's Encrypt. Let's Encrypt is not less secure than other providers of domain validated (DV) certificates, all they check is that the requester of the certificate has some kind of control over the domain at the time of the request.<p>You couldn't trust SSL for owner identity before Let's Encrypt either, nothing has changed.<p>If you want stronger guarantees for the identity of the owner, you'll have to look for Extended Validation (EV) certificates (Browsers generally show the company name next to the lock in the URL bar). (<a href="https://www.cloudflare.com/" rel="nofollow">https://www.cloudflare.com/</a> as an example, HN or <a href="https://www.amazon.com" rel="nofollow">https://www.amazon.com</a> as examples of sites that <i>don't</i> use EV)
Your concerns are completly right but there is a catch:
Let's Encrypt is trying to lower the barrier in money and time to offer encrypted connection between a server and you.
Even now there are different level of certificate in the standard, you could notice it when you see the lock icon in your browser turning green or not. Hacker News, for example, doesn't offer owner information so it's grey; Twitter instead turn green as it uses the most secure certificate.<p>The fact is that when you connect to my website ilikeapple.com in which I write about my experience as a apple farmer, you don't need to be sure of my server identity ('cause you don't even know my website) but you could still need message confidentiality ('cause you don't want your rival farmer to know that you are interested in planting apple tree next year).<p>So, don't put your credit card number in a site that not offer server identity (Hacker News for example) but don't worry too much about the certificate of let's Encrypt because are the lower level possible of certificate.<p>P.S. They are working to expand the same concept at "higher grade" certificate but of course is a work in progress (and is not sure it's possible)
To be honest the whole way the internet has always worked is a little backwards...<p>- HTTP: White background with black text.<p>- Mixed content: "Scary" red cross through it.<p>- Domain verified: Green<p>- Identity verified (EV): Super-green<p>In an ideal world it would work like this:<p>- HTTP & Mixed Content: "Scary" red cross through it (i.e. "unencrypted" or compromised encryption).<p>- Domain verified: White background with black text.<p>- Identity verified (EV): Super green.<p>So DV just becomes the new "normal," since all it is asserting is that you haven't been MitM-ed to the specific domain requested. HTTP becomes the new bad (which it is). And only EV gets the green padlock treatment (i.e. so you look for THAT if you enter personal information).<p>PS - Plus you've always been able to get a Let's Encrypt-style certified, just costs you $8 which is easy to get using stolen credit cards.
2. Should I trust domains with Let's Encrypt-issued certificate less than those with paid certificates with identity validation?<p>No...<p>Lets Encrypt should not have the same level of trust as the basic DV level cert from a standard CA.<p>There is a security hole in ACME which is glossed over with handwaving from the fanbois.
<p><pre><code> openssl s_client -connect example.com:443 -quiet
</code></pre>
prints certificate chain, you'll see something like this -<p><pre><code> verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
</code></pre>
- meaning Let's Encrypt is involved.